Receive Task Requests from a Policy Server Daemon

Receiving task requests from a policy server daemon, run hosts need to know which policy server daemon to acknowledge. This is controlled by the acceptmasters settings control. Further authentication is possible using the validatemasterhostname setting.

acceptmasters

  • Version 4.0.0 and later: acceptmasters setting available.

The acceptmasters setting specifies incoming connections from the policy server daemon that Privilege Management for Unix and Linux programs acknowledge.

The policy server hosts in the run host’s acceptmasters list must also be specified in the submit host’s submitmasters or altsubmitmasters lists.

The list can contain:

  • Host names
  • A single asterisk (*)denoting a Registry Name Service lookup
  • Netgroups in the form:
  • +@name
  • Hosts to exclude in the form:
  • -name
  • Netgroups to exclude in the form:
  • -@name
  • DNS SRV lookups, in the form:
  • _<pbul service name>._tcp.<domain name>.[:port=<port>[:interface=<IP or hostname>]]
  • External Programs, in the form:
  • `/path/to/external/program`

The order of precedence for the acceptmasters rules is:

  1. Command line for pblocald -m or --accept_masters argument
  2. Setting for acceptmasters
  3. Netgroup for pbacceptmasters

This keyword does not apply to pbssh. If it is present in the settings file, it does not have any effect on pbssh and is ignored.

acceptmasters myhost.mydomain
acceptmasters sparky spot
acceptmasters +@pbacceptmasters
acceptmasters +@pbacceptmasters -@badmasters -badhost

No default value

Run hosts

allowruntimeoutoverride

  • Version 5.2 and earlier: allowruntimeoutoverride setting not available.
  • Version 6.0 and later: allowruntimeoutoverride setting available.

The allowruntimeoutoverride setting allows a runhost's pb.settings to override a runtimeout value set in the master policy. Each runhost wanting to take advantage of this ability would then set the runtimeout keyword in their own pb.settings. allowruntimeoutoverride must be set to yes to allow this override to occur.

allowruntimeoutoverride yes
allowruntimeoutoverride no

Policy servers

For more information, please see "runtimeout" in the Privilege Management for Unix and Linux Policy Language Guide.

runtimeout

  • Version 4.0.0 and later: runtimeout setting available.

When the policy server allows runtimeout overrides, the runtimeout keyword is used to set an idle time limit for all secured tasks on this runhost. The runtimeout variable specifies the amount of idle time, in seconds, that the submitting user is allowed before the run host terminates the current request.

The runtimeout keyword is not honored in local mode or pbssh.

The policy server's runtimeoutoverride keyword must be set to yes to allow this override to occur.

runtimeout 600
runtimeout 0

Run hosts

For more information, please see "runtimeout" in the Privilege Management for Unix and Linux Policy Language Guide.